#438 Integer underflow causes segfault in readelf

[antiAgainst]

I encountered this problem when using readelf built from r2983.

In short, at readelf.c:3930, nlen + 4 could be bigger than seclen, then an integer underflow happens, which eventually causes a segfault. A test case triggering this bug is attached. The command to reveal this problem is readelf -a readelf-5-83-A.

The following is an analysis using gdb.

Without any breakpoints, gdb output and backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000409eda in dump_attributes (re=0x7fffffffd8b0) at readelf.c:3933
3933                                    tag = *p++;

#0  0x0000000000409eda in dump_attributes (re=0x7fffffffd8b0) at readelf.c:3933
#1  0x000000000040a7e0 in dump_arch_specific_info (re=0x7fffffffd8b0) at readelf.c:4157
#2  0x0000000000410c43 in dump_elf (re=0x7fffffffd8b0) at readelf.c:6224
#3  0x000000000041139a in dump_object (re=0x7fffffffd8b0) at readelf.c:6374
#4  0x00000000004123ea in main (argc=1, argv=0x7fffffffda98) at readelf.c:6841

Set breakpoint and line 3930 and print the values for seclen and nlen, which are 4 and 5 respectively. After line 3930, p /x seclen shows seclen is 0xfffffffffffffffb. And seclen is an unsigned int. This is an underflow. And later the sublen read from memory is 0x801bc0ee. At line 3961, p is assigned to sp + sublen, pointer out of bounds. And segfault later.

[antiAgainst]

Actually Binutils also has this problem. Here is the link for the same bug reported to Binutils: https://sourceware.org/bugzilla/show_bug.cgi?id=16664. Hope this helps.

[Ed Maste]

Not reproducible, probably fixed by [r3155]